(Design: Lily Yeh | AI-generated image via ChatGPT/Daniel Megias/Getty Images)
You surely have some idea how a computer virus works, though you may not know the details. Somehow it weasels its way into your computer, and then the computer slows way down…or it starts making mistakes…or something. Right? In truth, a virus is a very specific type of program with the unusual ability to replicate itself, like a biological virus. I’ve been reviewing the programs that fight viruses (and other malware) for nearly 40 years, and I’ve learned a thing or two. Let me share just how these nasty programs work and what you can do to avoid them.
Before we start, though, I’d like to eliminate one source of confusion—your antivirus app. Back when I was first reviewing them, antivirus programs literally defended against viruses, and only viruses. Some even listed the viruses they could disinfect in the (printed) user manual. The picture below is a replica of a manual I encountered at a malware conference in 2010; the manual itself dated back to the 80s. Nowadays, other types of malicious software have largely supplanted viruses. We still call the app an antivirus, but it does so much more.
(Design: Lily Yeh/Jeffrey Hazelwood)What Is a Computer Virus?
A computer virus is a program. Like other programs, it’s defined by what it does, and the big thing a virus does is replicate itself. The virus exists as a collection of computer instructions attached to another program, called the host. When the host program runs, the virus code runs first. Its prime directive is to seek out other programs and inject its code, infecting them and turning them into new hosts.
If replicating itself were all a virus did, it might not be so bad. Sure, there’s a little extra processing time wasted each time the virus code runs. But like a biological virus, a successful computer virus must avoid killing the host. Infecting the same file over and over could cause it to get endlessly bigger and bigger, eventually crashing the system. Most viruses check to avoid reinfecting an existing host.
The problem lies in what we call the payload, the action that the virus takes besides replicating itself. Early experimental viruses might just display a message or send a joke. But other payloads grew more problematic, right up to sending commands that would physically damage disks. These would typically activate only after a trigger event, like reaching a birthday or other date, so they could spread widely before attracting attention.
Can My Smartphone Catch a Virus?
When I started reviewing PC software in the 80s, there were endless PC-compatible brands and endless variations on DOS. To ensure compatibility, systems had to stay loose, which meant plenty of openings for virus writers. At nearly the same time, Apple’s computer line evolved under total control by Apple. The result was a much tighter system, not immune to malware attacks, but certainly more resistant.
With the advent of the iPhone and iOS, Apple kicked security up another notch. Basically, no iOS program can touch another program on disk or in memory. This walled garden approach makes writing iOS malware impractical, if not impossible. When I attend security conferences like RSAC and Black Hat, I see iPhones everywhere, because the security experts know. Yes, iPhone is what I use myself.
Multiple companies manage their own versions of Android, so it’s not as airtight as iOS, but they all generally stay current with ongoing security enhancements (as long as you keep buying new phones, that is).
The virus approach, spreading malware by infecting other programs, just isn’t feasible in the smartphone world. What malware coders can do is create apps that look useful but secretly serve some nefarious purpose—Trojans, in other words. Apple’s tight rein on its app store mostly prevents such attacks, and attacks focused on the iPhone generally rely on physical access to the device. Meanwhile, on the Android side, malicious apps regularly appear in the Google Play Store until they’re booted out.
In short, smartphones just aren’t suitable subjects for a virus attack, but you might pick up a Trojan in the app store. You still need to be careful, just not explicitly for viruses.
Why Are Viruses Less Common Than They Once Were?
Before I ever thought to study computer viruses, I heard about them in the news. They had odd names, like Brain, Lehigh, and Jerusalem, and news media gave them plenty of ink. Viruses continued to pop up in the news for many years. You didn’t hear much about any other kinds of malicious software except the occasional network worm. Yet today, the news is dominated by ransomware, data breaches, and Trojan Horse programs. What changed?
First, as I’ll explain below, the switch from original-PC COM files to modern PE programs made writing viruses a lot harder. And when your PC boots from a hard drive, an old-school virus that can only replicate itself by booting from a diskette doesn’t have much of a chance. In any case, modern UEFI drives use a different boot-time technology, one that can be protected against manipulation.
Second, the rise of the virus infestations naturally triggered a reaction in the form of antivirus programs. A well-designed antivirus could disinfect host files and remove boot sector viruses from memory, repairing the disk as well. With the rise of Windows and multitasking, antivirus software could watch in real time to prevent virus infestation. Plus, Microsoft made its Defender Antivirus an integral part of Windows 10 and 11, providing an antivirus to any PC lacking third-party protection.
Third, and most important, the advent of the ubiquitous internet made existing virus attack techniques irrelevant. Back when PC enthusiasts (myself included) shared programs and ASCII art by trading diskettes, every trade had the potential to infect a new computer. But with universal access to the internet, nobody swaps diskettes. It’s a lot easier to write a Trojan Horse program (a valid-seeming program that contains malicious code) and trick people into running it than to write a virus that infects other programs.
I see this change in my own work. Every year, I gather thousands of real-world malware programs to select a representative group to use in my hands-on testing. As part of the process, I check each against the VirusTotal database. That database identifies the vast majority of them as Trojans.
As a final nail in the coffin, viruses don’t make money. These days, there’s a whole malware industry with distributors, affiliates, supply chains, and all the trappings of a legitimate business. Malefactors can rake in cash by renting out networks of bot-infested computers, or sell personal data sucked in by data stealing Trojans, or just go for the jugular with ransomware that encrypts files and demands big bucks to restore them. There’s no ROI in a virus that trashes hard disks.
How Does a Virus Infect a Program?
Back when the IBM PC was new, it ran on an operating system cleverly named DOS, short for disk operating system. Program files for DOS had the extension COM, and a COM file on disk was just a list of machine-level instructions for the PC’s CPU.
To launch a program, DOS simply copied it byte for byte into memory and executed the first instruction. It kept on executing instructions one after another, except when an instruction told it to jump to a different spot in the program. Eventually, it encountered an instruction telling it to end the program. Simple.
(Design: Lily Yeh)When a virus attacks such a program, the first thing it does is commit the program’s very first instruction to memory. It copies its own code to the end of the host program’s file and then overwrites that first instruction with a jump to the virus code. The virus code handles replication and checks whether to launch its payload. When it has finished, it restores the saved first instruction and jumps to it. At this point, the host program runs as usual.
As I showed in the virus manual replica at the start of this article, these simple viruses always increased the host file's size by a fixed amount. The Cascade virus, one of the first that I acquired for testing antivirus tools, always added 1701 bytes, so it was sometimes just called the 1701 virus.
Modern Windows programs use the portable executable (PE) file format and have the EXE extension. These PE files are a lot more complicated than the old COM files. They’re organized into chunks of various types, including headers, indexes, data areas, and executable code. The Windows program loader knows how to handle these chunks. A virus infecting such a file has a tougher job, but the basic path is the same—attach virus code to the host and arrange so the virus code executes before handing off control to the host.
How Does a Virus Infect a Disk?
Harking back once more to the thrilling days of yesteryear, the original IBM PC didn’t have a hard drive. You’d boot from the DOS disk, then swap in a program disk, and possibly use yet another disk to save your data. When the PC powered on, it knew to look at a location on the disk called the boot sector for instructions to load the operating system, which would then remain in memory and manage things like launching programs and writing data files.
Some too-clever folks realized that they could add their own instructions to the boot sector, so it would load virus code in memory along with DOS. Any time you’d insert another disk, the virus would write its code to the boot sector. And, as with file infecting viruses, there was usually a payload.
What Is a Worm? Is It a Kind of Virus?
There’s another kind of malicious software called a worm, and it’s easy to get worms and viruses mixed up, as they both replicate themselves. The difference is that a virus only runs when launched from its host program or disk, while a worm is a self-contained program that propagates across the network without infecting other programs or disks.
A worm replicates by copying itself to other compatible computers on the network. In 1971, before the advent of the internet, a worm called Creeper spread through a subset of ARPANET, displaying the taunt “I'M THE CREEPER: CATCH ME IF YOU CAN.” Its spread was limited by the fact that only a few dozen compatible computers existed on the network, and a follow-up called Reaper had the sole purpose of removing Creeper from the network.
Creeper and Reaper predated the PC by years. As the internet grew, so did the potential for damage by a worm. The Morris worm, released in 1988, was designed to measure the extent of the budding internet, but due to a coding error, it nearly crashed the network. You’ll want to watch PCMag’s documentary about the Morris worm. Keep an eye out for a cameo appearance by yours truly.
What Are Some Famous Viruses?
In 1986, a couple of programmers at a computer shop in Lahore, Pakistan, created an anti-piracy tool that was effectively a boot sector virus. Its code contained the authors' names and addresses. To their surprise, the “Pakistani Brain” virus, considered the first PC virus, spread around the world. 25 years later, security rockstar Mikko Hyppönen tracked down the authors, who were still at the same address, and created a mini-documentary about the search. I attended an early screening of the video, which I'm sharing here (with Mikko's permission).
(Credit: Mikko Hyppönen/F-Secure)
While the Brain virus was fairly innocuous, the Jerusalem virus, released the very next year, was quite the opposite. It would take up residence in memory and infect every program that ran, both COM and EXE files. And on any Friday the 13th, it would show its dark side, deleting every program that was launched and infecting EXE files over and over until they became impossibly large.
Around the same time, a virus appeared at Lehigh University in Pennsylvania. It only affected the essential DOS program COMMAND.COM, but after four infections, it would wipe the boot sector of the active DOS disk. Fortunately, it was caught and eliminated before it could spread beyond the university. In 1989, PCMag used the Lehigh virus to test antivirus products.
The Michelangelo virus from 1991 was another nasty one. Security researchers named it Michelangelo because it activated its payload on March 6, the famous artist’s birthday. Most of the time, it simply replicated itself like any other boot sector virus. But if your computer booted on the fateful day, the virus overwrote important data on all attached diskettes and hard disks, rendering the system unbootable.
Even as these viruses made the news, other types of malware were on the rise. As noted, the Morris worm, which nearly took down the internet, appeared in 1988. In 1999, the so-called Melissa virus slowed email systems worldwide. But Melissa is an email-based attack using macro technology to send itself to others, not a true virus. With global use of email and the internet, the heyday of the computer virus was over.
Do I Need to Worry About Viruses?
Now you know just what a virus is, and what it isn’t. Widespread worry about viruses is a thing of the distant past. Modern malware coders make their illegitimate living using other types of malware, such as ransomware or data-stealing Trojans. If a literal virus does slip past your antivirus, an antivirus update will probably wipe it out within days, or even hours. And its payload code may well sit idle, waiting for a trigger event that never occurs.
Are you inspired to learn more about the malicious software anxious to infest your computer? I'm happy to share details about how I test antivirus defenses and how I collect the malware that I use for those tests. I've even collected images from my malware research so you can see what a malware infestation looks like.